suricata
79 views
Skip to first unread message
stetnt4
Oct 6, 2023, 7:36:12 PM10/6/23
to Wazuh | Mailing List
Hello!I configured it according to the instructions, but there are no notifications in the panel. https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html
/var/ossec/etc/ossec.conf
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
wazuh added the path to the windows agent
<localfile>
<log_format>json</log_format>
<location>C:\Program Files\Suricata\log\eve.json</location>
</localfile>
<localfile>
<log_format>json</log_format>
<location>C:\Program Files\Suricata\log\eve.json</location>
</localfile>
Sebastian Dario Bustos
Oct 6, 2023, 11:23:43 PM10/6/23
to Wazuh | Mailing List
Hi stetnt4,
Thank you for using Wazuh!!!
I have a few questions about this
Have you checked that the file
C:\Program Files\Suricata\log\eve.json is successfully catching logs?
Once you modified the ossec.conf file you restarted the agent service, correct?
Please check for errors in the file
C:\Program Files\Suricata\log\suricata.log.
You can also attempt to enable debug on the Wazuh agent to try to narrow down the cause, for this you need to enter the following in an new line in the file C:\Program Files (x86)\ossec-agent\local_internal_options.conf:
windows.debug=2
Save and then restart the Wazuh agent service (you can do it from the win32ui application also located on the Wazuh installation folder (click on the Manage menu -> Restart).
Leave it running for a few minutes and then you will be able to see the debug logs on
C:\Program Files (x86)\ossec-agent\ossec.log, search for eve.json near the end of the file to check if the localfile configuration is working as expected.
Is advisable for you to remove the debug option once you are done and restart the agent service (to save disk space).
Please provide log data so we can better understand the issue.
Thank you.
Regards.
stetnt4
Oct 7, 2023, 4:48:56 AM10/7/23
to Wazuh | Mailing List
Hello!2023/10/07 11:40:51 wazuh-agent[2132] logcollector.c:1228 at set_read(): DEBUG: Socket target for 'C:\Program Files\Suricata\log\eve.json' -> agent
2023/10/07 11:40:51 wazuh-agent[2132] logcollector.c:379 at LogCollectorStart(): INFO: (1950): Analyzing file: 'C:\Program Files\Suricata\log\eve.json'.
2023/10/07 11:40:51 wazuh-agent[2132] logcollector.c:379 at LogCollectorStart(): INFO: (1950): Analyzing file: 'C:\Program Files\Suricata\log\eve.json'.
2023/10/07 11:41:00 wazuh-agent[2132] read_json.c:158 at read_json(): DEBUG: Read 4 lines from C:\Program Files\Suricata\log\eve.json
stetnt4
Oct 8, 2023, 6:37:46 AM10/8/23
to Wazuh | Mailing List
events arrive but are not displayed on the panel
суббота, 7 октября 2023 г. в 11:48:56 UTC+3, stetnt4:
suricata
Oct 9, 2023, 4:15:31 AM10/9/23
to Wazuh | Mailing List
Hí, stetnt4
I am seeing that the fast.log file is set to 0, that is, you have no alerts. That's why you don't see anything.
On the other hand, for wazuh, I would disable fast.log. It doesn't contribute anything since what you need is in eve.json and you will gain performance.
Regards
stetnt4
Oct 11, 2023, 3:47:25 AM10/11/23
to Wazuh | Mailing List
the issue is resolved
понедельник, 9 октября 2023 г. в 11:15:31 UTC+3, suricata:
Reply all
Reply to author
Forward
0 new messages